Organizational Control: Information System Backup

Control ID: CP-9 Information System Backup Family: Contingency Planning Source: NIST 800-53r4
Control: The organization:
  1. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
  2. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
  3. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
  4. Protects the confidentiality, integrity, and availability of backup information at storage locations.
Supplemental Guidance:
System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information.

Related Controls: CP-2, MP-4, MP-5, CP-6, SC-13
Control Enhancements:
(1) Information System Backup | Testing For Reliability / Integrity
The organization tests backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity.
Supplemental Guidance:
Related Controls: CM-4

(2) Information System Backup | Test Restoration Using Sampling
The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.
Supplemental Guidance:
Related Controls: CM-4

(3) Information System Backup | Separate Storage For Critical Information
The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system.
Supplemental Guidance: Critical information system software includes, for example, operating systems, cryptographic key management systems, and intrusion detection/prevention systems. Security-related information includes, for example, organizational inventories of hardware, software, and firmware components. Alternate storage sites typically serve as separate storage facilities for organizations.
Related Controls: CM-2, CM-8
References: NIST Special Publication 800-34.
Mechanisms:

Protocol Implementation Conformance Statements: N/A